mirimir said: It's not going to be just a list. I'm planning another how-to guide. I'll cover installing and configuring software, etc, etc. If y'all would like to collaborate, I hope your collaboration invites fall into place. With updates, etc., looks like you've got a lot on your plate. I look forward to following this thread closely.
It does not matter how encrypted and secure the email is if the OS and the hardware are both compromised and via those loopholes they will be able to extract your password whether its PGP or K9 or anything else. If I was the head of intelligence agency with task to monitor its own citizens I would simply use program like PRISM to keep tap on everyone and then those special targets that use some kind of way to evade PRISM, I would use my infinite $$$$ budget to compromise hardware/compromise OS or for those much more interesting targets do the old fashion way. As a matter of fact just by entering this website you have probably made on a list of potential terrorists. Sad, but that's how things are run now in the digital age. If you really wanted to go extreme then I would suggest using old laptop/computer, maybe pre 1997 or older with hope that the hardware is not compromised yet, custom LINUX based operating system (I don't remember which one is most secure these days) and of course do what Snowden did, which is put a blanket over your head when typing in password. Just a warning, you might then really become interesting to our friends at the NSA. And then the good old fashion wench comes to mind. There is a good reason why Snowden was worried for his life.
You mean, the firmware sees what you're typing before you encrypt and send the message? And has access to the keys anyway? I still don't get how phones are backdoored by default. I believe you, I just would like to understand that assertion better and how it is essentially different from PCs. Also, doesn't something like Qubes protect even against a backdoored bios? I thought that was part of it's whole brilliance, to even protect against evil maid attacks?
As I understand it, nothing can hide from the hardware that it's running on. I'm not technical enough to discuss specifics.
I started using Yandex recently it's pretty user friendly and I guess the Russians can ease drop on me now. Yandex is the only webmail that can be a default mail handler on Chromium or Chrome besides Gmail - not using Mailto but through the browser settings.
Okay, I'll have to research it more. The primary Qubes dev does have an anti evil maid attack protocol which doesn't really secure you against a compromised bios, but it is capable of warning you that your bios has been compromised (and protecting you against having your encryption passphrase sniffed by camera or electromagnetic leak) : http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html https://wiki.qubes-os.org/wiki/SecurityGuidelines#AntiEvilMaid Apparently you don't even need Qubes, it works in Fedora and potentially other Linux distros.
I heard that Jacob Appelbaum, a Tor dev targeted by the US govt, uses a secured signed coreboot for security but I imagine that actually implementing this yourself would be very difficult. Beyond just the BIOS firmware, you have drivers and such for everything- the hard drive, video cards, etc. that can all potentially be backdoored. The NSA's TAO in a large part goes after these drivers that most would overlook I think the number one thing to prevent these types of attacks is stringent physical security, which is easier said than done. Your own home can be broken into while you sleep by a determined agency, so to prevent these sorts of attacks it would take a radically paranoid lifestyle change...
Yeah, I'm not really personally worried about being targeted individually by the NSA and cleary unless you are very sophisticated and paranoid that's going to be a hard adversary to resist. Even Snowden for all the steps he took, expected to be found out in short order. If you look at the article on the Qubes founder's blog, however, her solution is actually pretty easy to use, I think. And it can be set up on a USB stick that you plug into the computer to verify that it hasn't been tampered with. So as long as the USB stick is always on your person and hasn't been compromised, you should be safe. She does say that it would still be vulnerable to an attack in which at a minimum the motherboard and hard drive were replaced, with devices that had radios allowing (if I'm understanding it correctly) a type of man in the middle attack. You're going to have to be someone really special to be targeted for that kind of attack (they'll probably just hit you with the wrench first). Nothing's perfect. But for those of us who aren't spies or criminals (or otherwise juicey targets), I think it's possible to obtain some pretty good privacy (no pun intended).
This won't be popular, but it's the truth: A lot of very serious people are saying iOS iMessage is as secure as anyone is going to get - and it's pretty damn good. It's fully encrypted now and Apple made, essentially a business decision, that they can't police iMessage. Hence, they killed three birds with one stone - 1.) Took away the ability to snoop into iMessage (Period. So don't even bother asking), 2.) Made friends of a lot of privacy advocates, 3.) Bolstered enterprise sales. Apple has already updated their Law Enforcement Request page to indicate that iMessage, photos, notes, are no longer available from any user who is using an iOS 8 device with even the 4 digit pin. Basically they've told law enforcement to stop bugging them with requests for these things because now they don't even have access to them. This new policy, as you know, has angered local, state and federal law enforcement. (That link is truly a must-read in its defense and belief in Apple security.) Keep in mind, the hardware encryption for iMessage, that Apple holds no key, is only good on iOS devices running iOS 8. Your messages are encrypted in the cloud with the same key you choose on your device. IMPORTANT: The 4 digit "pin" won't cut it. Switch to strong encryption under the passcode setting>toggle simple passcode to off>enter current passcode to verify>select strong encryption> enter your new non-4-digit- "password." A decent article from the mainstream tech press: http://www.computerworld.com/articl...re-a-weak-point-in-ios-8-data-encryption.html
I think you're confusing two things. Apple has beefed up the encryption of data on iPhones themselves. They do not hold the key to encrypted data on your device. But I don't think they've done anything new with iMessage and this is not the case with iMessage messages. So a seized iPhone might be difficult for law enforcement to decrypt but iMessage texts are different. This information is a bit old, but Bruce Schneier and others pointed out that Apple's supposed "end-to-end" encryption in iMessage is not that secure. Apple clearly holds the keys for iMessage texts and stores your messages indefinitely on their servers (whereas normal texts are stored only briefly by mobile carriers). So with a proper warrant, law enforcement can make Apple provide messages from their servers. Schneier also points out the obvious, that iMessage (and iOS for that matter) is closed source. So one has to assume that everything Apple is saying is true. That's a big assumption. See: https://www.schneier.com/blog/archives/2013/04/apples_imessage.html https://www.techdirt.com/articles/2...lying-that-it-cant-read-apple-imessages.shtml Again, that information is kind of old, but I think it's still accurate as far as iMessage goes. In addition, iOS backs a lot of stuff up automatically to iCloud now. All of that stuff is also potentially available to law enforcement and not protected by the encryption on your device (I don't think iCloud works like SpiderOak, storing only information first encrypted on your device). This vulnerability is pointed out by the security researcher, Joseph Bonneau, interviewed for the article you link to (https://freedom-to-tinker.com/blog/jbonneau/guessing-passwords-with-apples-full-device-encryption). Also, let us not forget that the Supreme Court recently ruled that you can be forced to provide your fingerprint to unlock a device. The Court said it's not like a password (which is knowledge in your head), it's an external piece of information that you leave everywhere, and so you have no fifth amendment protection for you fingerprint. In addition, it has been demonstrated that it is easy to lift fingerprints from other surfaces and use it to unlock an iPhone. So I think the vast majority of Apple users are vulnerable in these two ways, since they are probably opting for the convenience of the fingerprint unlock on their devices. Further most users probably just use the ridiculous default 4 number pin code and not a long strong password. Joseph Bonneau discusses, in the article above, how this is easily cracked on new iPhones. This means for all practical purposes very few people are going to have iPhones that are not easily accessed. Only those willing to forego fingerpint unlocking and type in a long, strong password every time they unlock their device will have secure devices (and even then, they will remain vulnerable to everything Apple stores from their device on Apple's servers--including messages from iMessage). * Here's what Apple actually says on their website: "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8." They're not saying that can't provide law enforcement with what's in the cloud. They're saying they can't access data on devices. That is the only thing they explicity say they cannot access (all of the vulnerabilities I outline above notwithstanding). Apple then glosses over really quickly the issue of what's on their servers: "Responding to an Account Request most often involves providing information about a customer’s iTunes or iCloud account. Only a small fraction of requests from law enforcement seek content such as email, photos, and other content stored on customers’ iCloud or iTunes accounts." You can see, they make no statement about iMessage messages one way or the other, though as Schneier and others have surmised, they do have that information stored and can access it. And Apple is clear that they do get warrants and divulge information, though they try to play it down: "All content requests require a search warrant. If we are legally compelled to divulge any information and it is not counterproductive to the facts of the case, we provide notice to the customer when allowed and deliver the narrowest set of information possible in response." Note the "when allowed" language, meaning they may get national security letters and divulge your information without notifying you--and also clearly meaning they are not using a warrant canary (although this technique has yet to be tested in practice or in the courts and may not be reliable). See: https://www.apple.com/privacy/government-information-requests * So really, there's a lot of smoke and mirrors here. Data on your iPhone itself might be safe if you have a good password and don't use fingerprint unlocking (and if we believe Apple when it "promises" there are no backdoors, since no independent party can review the closed source code). But your iMessages and a lot of information from your device is in the cloud in a way that Apple has access to and by extension any law enforcement agent with a proper warrant can access it (as well as sophisticated hackers who get into Apple's servers).
You may want to add openmailbox.org It features an embedded GPG client, it's possible to send/receive GPG encrypted emails in the webmail. Keys are store locally in the browser. Storage is 1GB for free. Based in France.
"Autistici/Inventati": NO PRIVACY ANYMORE Their mail server "mail.autistici.org" which was originally ONLY redirecting to one server in the Netherlands (latitanza.investici.org) now ALSO redirects to a French server (perdizione.investici.org) located in Paris at OVH! Just do a traceroute to "mail.autistici.org" and see by yourself. About half the time, it goes to the French server... As you know, French government have legalized mass surveillance a few days ago: https://ma.ttias.be/french-law-forces-backdoors-on-isps/ https://www.opendemocracy.net/digitaliberties/félix-tréguer/france’s-intelligence-bill-legalises-mass-surveillance These Italians seem to have sold their interesting "activists" database to the French! Traitors! Any comment?
Did a search on Wilders and couldn't find anything about this.... thoughts? Note : their privacy policy might as well be non existent. hxxp://confidentialcc.com/
I've heard that Tutanota nukes accounts created via Tor. Try it and see. I will, when I get the chance to fire up a Whonix instance.
If you mentioned that prior, I don't remember seeing it. Thanks for letting us know. I don't "do" apple either, for online stuff that is. I wouldn't trust apple with a bargepole. I just did a search on that site and if the word Apple is there I can't find it. I saw mention of iOS though. What gets me is this... ( the last entry on their FAQ) With all the fancy promises they make (albeit proprietary) how would they be able to....so another case of speaking with a forked tongue.
